Skip to content

Hide Navigation Hide TOC

GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185)

GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.(Citation: Koi Glassworm InvisibleCode October 2025)(Citation: Aikido GlassWorm October 2025)(Citation: Socket GlassWorm January 2026) GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.(Citation: Koi Glassworm New Tricks December 2025)(Citation: Koi Glassworm InvisibleCode October 2025)(Citation: Koi GlassWorm Rust December 2025) GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.(Citation: Koi Glassworm Extensions November 2025)(Citation: Koi Glassworm InvisibleCode October 2025) GlassWorm was first reported in October 2025.(Citation: Koi Glassworm Extensions November 2025)(Citation: Koi Glassworm InvisibleCode October 2025)(Citation: Socket GlassWorm January 2026)

Cluster A Galaxy A Cluster B Galaxy B Level
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb) Attack Pattern 1
Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Invisible Unicode - T1027.018 (e9b75bb0-b5ec-42c8-b728-f4f424d9c39e) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern 1
Transmitted Data Manipulation - T1565.002 (d0613359-5781-4fd2-b5be-c269270be1f6) Attack Pattern GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 1
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
GlassWorm - S9010 (809bc57b-4d4c-43de-b698-448334ed8185) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern AppleScript - T1059.002 (37b11151-1776-4f8f-b328-30939fbf2ceb) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Invisible Unicode - T1027.018 (e9b75bb0-b5ec-42c8-b728-f4f424d9c39e) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Transmitted Data Manipulation - T1565.002 (d0613359-5781-4fd2-b5be-c269270be1f6) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720) Attack Pattern 2
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2